Better Assurance – How to Escape from “Audit Groundhog Day”: Idea 2: Co-produce IT!

The diagram below is a well-known COBIT framework of IT Governance and Control. It sums up all the key areas that Board of directors have to put in place and carry out in order for their organisation to thrive. What can auditors do to help make this happen? What must auditors stop doing in order to make this happen? One thing auditors must stop doing is thinking they can always carry on with what they did last year, and the year before that.

Stimulus to escape from “Audit Groundhog Day” and re-shaping audit and assurance comes from the RSA and ICAEW joint report Enlightening Professions? A vision for audit and a better society. The call to action is to move audit from a trust-producing product to a trust-producing practice.

The report states that one way this can be done is to use modern technology tomake audit more co-productive. ICAEW external auditors could shiftthe audit and assurance work from being purely their own external investigationsto sharing tools of enquiry and becoming expert convenors.

This new thinking for a co-productive approach could be used to address one of the biggest problems many organisations are facing – how to get a grip around the strategy, governance and audit of IT. For ISAE 3402 and AAF 01/06assurance reporting on IT controls is essential. However the control objectives are always at a high level control objectives focused on physical security, resilience of information processing, developing systems, processing recovery and monitoring third-party compliance.

COBIT: A framework of IT Governance and Control

In the spirit of ICAEW chartered accountants being more co-productive,ISAE 3402-AAF 01/06 assurance evidence could be better aligned with other standards such as the UK Cyber Essentials Scheme, ISO 27001 Information Security Management System, ISO 22301 Business Continuity Management, ISO 9001 Quality Management System and the PCI DSS data security on credit card requirements. ICAEW auditor/reporting accountantscould co-ordinate their tools of enquiry with the Cyber Essentials, ISO and PCC DSS consultants and the organisation’s own internal assurance and compliance managers working in this area. Areas of work performed and reviews undertaken could be shared and evidence requested commonly used. This would minimise repetition of effort for the client whilst enabling a wider ‘joined-up’ IT governance focus to emerge that would benefit directors leading the organisation’s business strategy.

Enlightening Professions? A vision for audit and a better societystates “the way to achieve successful change at the scale required can only be through bold innovation and generous collaboration.” To make this bold innovation I advocatewe need to be both co-productivewith other consultants and co-creative with internal Business Assurance / Internal Audit teams.

My actions to be co-creative are to work with client internal Business Assurance team to:

• Develop Board director competencies in technology governance such as that being discussed by Elizabeth Valentine
• Promote ‘lean audit’ through employeesself-assessment surveys of their performance operating their organisation’s control procedures
• Audit the organisation’s culture through behaviour assessments and map alignment against Cyber Essentials, ISO, PCC DSS and AAF 01/06 control objectives and the key performance drivers set by the Board directors

In the spirit of the Enlightening Professionsreport to encourage greater collaboration in this data-rich and trust-poor world we live in how would you answer these questions:

? How can assurance work with internal assurance and compliance teams become more co-productive and more co-creative for the benefit of Board directors?

? How could we best pioneer crowd-sourced audit tools using employees and customers to create a trust-based co-productive practice and get a better insight into how an organisation is performing?

This is number 2 in a series of blogs which seek to gather the escape velocity necessary to get out of Audit Groundhog Day. It takes new thinking for innovation in audit from the RSA (Royal Society of Arts) and the ICAEW (Institute of Chartered Accountants England & Wales) joint report Enlightening Professions? A vision for audit and a better society.

Blog 1:How to Escape from “Audit Groundhog Day”: Idea 1: Have a rethink!